Oh ok, let's keep a gaping security vulnerability open in the one runtime that everyone demands the ability to shove heaps of untrusted code into, just so that people can see the occasional really cool demo that gets posted on HN every few months run at 10 FPS on their phone.
There are holes in every graphics driver and OpenGL implementation out there (it's practically unavoidable, as it's a fairly low-level API). To expose that layer of an operating system to any random webpage a user clicks on is utter lunacy.
"So don't visit those sites." That's like saying your operating system's security policy is "just don't go to bad sites and you won't get viruses!"
@pavlov I'm not happy about CSS3 animations or the abundance of Javascript you see today either, but that doesn't excuse people to pile even more ridiculous and insecure crap onto "the browser."
That's totally a legitimate criticism, and one that I hadn't heard before. Complaining about your phone's battery life when you can just as easily not visit the site has a lot less weight to it.
I was adding it to my original comment when the driveby downvoters arrived.
>Complaining about your phone's battery life when you can just as easily not visit the site has a lot less weight to it.
Do you really think that advertisers won't latch on to WebGL if it becomes widely adopted? I'm not "complaining" about the possibility of seeing some WebGL on $game_site, I'm worried about the inevitability of the banner ads that I already can't block on my phone suddenly becoming filled with eyecatching, battery-wasting 3D graphics, just as banner ads these days already use CSS3 animations to the same effect. I don't see why that isn't a valid concern.
Also, it's a matter of principle for me that apparently web developers don't agree with. I like the web as hypertext + the dumb terminal of our time. I don't see how things like WebGL benefit anybody but game developers and advertisers. Sometimes I feel like I'm the only one that sees the value in keeping the dumb terminal and the cross platform application API separate. We need both. There should be a simple way to run a game on all platforms (err, ignore for the moment that it already exists and is called SDL), and there should be some kind of easy-to-use "dumb" interface to society, but we're doing the world a disservice to combine the two.
Maybe I'm crazy, but I think certain vested interests are determined to turn the former into the latter, because they want to have their advertising pie and eat Apple's/Microsoft's/etc's app store pies as well. Maybe they were from the beginning, what with the talk of Netscape being at war with Microsoft.
The web is practically necessary to lead a normal life at this point. That people would focus not on taking the core of what makes the web actually matter for communication and as interfaces for the important services in our lives, making it simpler and more secure and more portable and easier to develop for, but instead on making it harder and harder to get down to that core, seems almost as wrong to me as banks in South Korea that require IE6.
That's the kind of principle I'm talking about. I understand if you don't agree with me; a lot of people have a lot invested in the web these days. However, I also don't see why I should have to bite my tongue about it.
@pyalot2 it's not FUD, because more code always means a larger attack surface, and OpenGL implementations happen to be a particularly large and historically poorly tested source of code. Bounds checking buffer accesses is an improvement but it doesn't magically make the implementations free of bugs. Check out this article from a while back on the state of OpenGL implementations for common chipsets used in Android devices, and tell me with a straight face you trust random webpages to talk to them:
That's absolutely not true; the security issues raised here are serious issues that resulted in a bunch of changes to the WebGL spec in order to alleviate them. Running untrusted code on the GPU is dangerous.
Not true how? I agree it's somewhat risky -- running untrusted code on the CPU is dangerous too and there have been bugs in sandboxing of JS/java/flash. Specs and implementations get tightened up, life goes on until the next bug.
